runlocal

Data Processing Agreement

Last updated: March 1, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Whitenoise AS ("Processor", "we") and you ("Controller", "you") for the use of the Runlocal service ("Service"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

  • "Personal Data" means any data relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose

The Processor operates a tunnel service that forwards HTTP traffic between the public internet and the Controller's local development server via WebSocket. The Service does not store, log, or persist any HTTP request or response data. Processing is limited to real-time forwarding of traffic.

3. Types of Personal Data

The Personal Data processed depends entirely on the HTTP traffic that flows through the tunnel. This may include any data contained in HTTP request and response bodies, headers, and URLs. The Processor does not inspect, store, or log this data — it is forwarded in real time and never persisted.

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only by forwarding it in real time as instructed through the tunnel connection
  • Not store, log, or persist any HTTP traffic data
  • Ensure that persons authorized to operate the Service are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure security of processing (see Section 6)
  • Not engage another processor without prior written authorization from the Controller (see Section 7)
  • Assist the Controller in responding to data subject requests
  • Make available all information necessary to demonstrate compliance and allow for audits

5. Obligations of the Controller

The Controller shall:

  • Ensure there is a lawful basis for processing Personal Data through the Service
  • Not use the tunnel to transmit data that requires higher security measures than those provided
  • Ensure that data subjects are informed about the processing as required by GDPR

6. Technical and Organizational Measures

The Processor implements the following security measures:

  • Encryption in transit: All data transmitted via TLS 1.2 or higher (HTTPS and WSS)
  • No data at rest: HTTP traffic is forwarded in real time and never written to disk
  • Access control: SSH key-based server access, no shared credentials
  • Data minimization: No traffic data is stored, logged, or aggregated
  • Infrastructure: Hosted in netcup data center, Nuremberg, Germany (ISO 27001 certified)

7. Sub-processors

The Controller authorizes the Processor to use the following sub-processor:

Company Purpose Location
netcup GmbH Infrastructure hosting Nuremberg, Germany

The Processor shall notify the Controller of any intended changes to sub-processors at least 30 days in advance. If the Controller objects, they may terminate the Service within 30 days.

8. Data Breach Notification

The Processor shall:

  • Notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a personal data breach
  • Provide sufficient information for the Controller to meet its obligations under Articles 33 and 34 GDPR

9. Data Location

All processing occurs within the European Union (Nuremberg, Germany). The Processor shall not transfer Personal Data outside the EU/EEA without the prior written consent of the Controller.

10. Data Retention

The Service does not retain any HTTP traffic data. Tunnel sessions exist only in memory and are released when the client disconnects. There is no data to delete upon termination because no data is stored.

11. Audits

The Processor shall make available all information necessary to demonstrate compliance with this DPA and allow for audits. Audit requests should be submitted in writing with reasonable notice.

12. Term and Termination

This DPA is effective for the duration of the Controller's use of the Service. Since no data is stored, no post-termination data handling is required.

13. Governing Law

This DPA is governed by the laws of Norway. Any disputes shall be resolved in the courts of Oslo, Norway.

14. Contact